Project

General

Profile

Authorization not limited to Network/mask

Added by Mikael Karlsson about 10 years ago

Hi,

For accessing the web interface I have configured two networks in different entries
192.168.1.0/24 - my internal lan
xx.yy.zz.0/26 - 64 adresses from the outside of my router.

For the outside I have enabled web interface/streaming for all and DVR for an authenticated user.
It seems however that I can reach the web interface from any outside address and log in as "DVR" user too, but not as "admin" user (luckily) which is only registered on the internal lan.
Am I mistaken in my assumption that access should be restricted to xx.yy.zz.1-64 only for outside access?

Build: 3.9.1987~gc053acd

BR / Mikael


Replies (6)

RE: Authorization not limited to Network/mask - Added by Prof Yaffle about 10 years ago

Try switching trace on in debugging options - that (as of a few revisions ago - you're recent enough with c053acd) will print out the matching ACL information. That might help you work out whether you're unintentionally matching more than one rule (e.g. if they're OR-ed together in some way).

RE: Authorization not limited to Network/mask - Added by Mikael Karlsson about 10 years ago

I will do so.
Meanwhile I checked the syslog and hostname is printed as my routers WAN adress. Which is in the allowed range (xx.yy.zz.10). Can this be the problem?

RE: Authorization not limited to Network/mask - Added by Mikael Karlsson about 10 years ago

It will not start with trace enabled, just prints help page, that says --trace is an option...
./tvheadend/build.linux/tvheadend -s --trace
Usage: ./tvheadend/build.linux/tvheadend [OPTIONS]

Generic Options
...

Best Regards /Mikael

RE: Authorization not limited to Network/mask - Added by Prof Yaffle about 10 years ago

--trace all will switch it on for all modules.

You may have to build with --enable-trace, I'm not 100% certain.

RE: Authorization not limited to Network/mask - Added by Mikael Karlsson about 10 years ago

Thanks,

--trace access did the trick.

As a matter of fact it turns out that all outside addresses are translated to the routers address. Which, since it is within the range, is allowed. I guess since I am using NAT in the router and pointing to the internal tvheadend server this is common behaviour?

2014-11-03 21:31:25.760 [ TRACE]:access: xx.yy.zz.10:<no-user> [SAW], conn=0, chmin=0, chmax=0, profile=ANY, dvr=ANY, tag=ANY

Nothing to do with tvheadend in such case, just my limited knowledge on networking and how devices are supposed to work. I just don't understand why the router could not have passed the real source address instead of translating to it's own.

Sorry to have bother you on this matter.
/Mikael

RE: Authorization not limited to Network/mask - Added by Prof Yaffle about 10 years ago

No, don't apologise - it's useful for others to realise that's what's happening. Thanks for posting back.

Yes, you're almost certainly right: NAT is translating the address so tvh sees the packets as they're forwarded from the LAN interface, and not the source WAN address. Truth be told, you'd probably be better off using a VPN if you can, as port forwarding of any description is a bit of a blunt approach - that gives the user/password security you need and could perhaps even be secured further by IP or MAC address if your router supports that.

    (1-6/6)